b'      Department of Homeland Security\n\n\n\n\n              Progress Has Been Made in\n            Securing Laptops and Wireless\n                   Networks at FEMA\n\n\n\n\nOIG-12-93                                   June 2012\n\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 20528\n\n\n\n\n                                      June 27, 2012\n\n                                         Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the Department.\n\nThis report addresses the strengths and weaknesses of the Federal Emergency\nManagement Agency\xe2\x80\x99s efforts to safeguard laptop computers and implement controls to\nprotect the sensitive data processed by its wireless networks and devices from potential\nexploits. It is based on interviews with employees and officials of relevant agencies and\ninstitutions, direct observations, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n                                      Frank W. Deffer\n                                      Assistant Inspector General\n                                      Information Technology Audits\n\x0cTable of Contents/Abbreviations\nExecutive Summary .............................................................................................................1\n\n\nBackground ..........................................................................................................................2\n\n\nResults of Audit ...................................................................................................................5\n\n\n     Actions Taken To Enhance Laptop and Wireless Security ...........................................5\n\n\n     Laptop Inventory Management Controls Need Strengthening ......................................7\n\n     Recommendations..........................................................................................................9\n\n     Management Comments and OIG Analysis ..................................................................9\n\n\n     Improvements Needed on Laptop Security Management..............................................9\n\n     Recommendations........................................................................................................16\n\n     Management Comments and OIG Analysis ................................................................16\n\n\n     Performing Assessments Can Enhance Wireless Security ..........................................17\n\n     Recommendation .........................................................................................................19\n\n     Management Comments and OIG Analysis ................................................................19\n\n\nAppendices\n     Appendix A:           Purpose, Scope, and Methodology.......................................................20\n\n     Appendix B:           Management Comments to the Draft Report .......................................22\n\n     Appendix C:           Major Contributors to this Report........................................................25\n\n     Appendix D:           Report Distribution ..............................................................................26\n\n\nAbbreviations\n     DHS                   Department of Homeland Security\n     DISC                  Disaster Information Systems Clearinghouse\n     EOC                   Enterprise Operations Center\n     FEMA                  Federal Emergency Management Agency\n     FMD                   Facilities Management Division\n     IT                    information technology\n     JFO                   Joint Field Office\n     LIMS                  Logistics Information Management System\n     MERS                  Mobile Emergency Response Support\n     NACS                  National Emergency Management Information System Access Control\n                           System\n\n     OCIO                  Office of the Chief Information Officer\n\n     OIG                   Office of Inspector General\n\n     USGCB                 United States Government Configuration Baseline\n\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                   We audited the Federal Emergency Management Agency\xe2\x80\x99s\n                   (FEMA) efforts to protect its laptop computers and controls\n                   implemented to protect sensitive data processed by its wireless\n                   networks and devices from potential exploits. Specifically, we\n                   evaluated FEMA\xe2\x80\x99s inventory process for safeguarding its laptops,\n                   reviewed its configuration management program, and conducted\n                   security assessments on its wireless networks. Additionally, we\n                   followed up on FEMA\xe2\x80\x99s actions to address the recommendations\n                   cited in two prior audit reports.\n\n                   FEMA has taken actions to improve the inventory and configuration\n                   management controls to protect its laptop computers and the\n                   sensitive information they store and process. Furthermore, FEMA\n                   has implemented technical controls to protect the information stored\n                   on and processed by its wireless networks and devices.\n\n                   However, we found weaknesses in the component-wide adoption\n                   of FEMA\xe2\x80\x99s automated property management system, reporting of\n                   lost and stolen laptops, implementation of hard drive encryption,\n                   use of a standardized laptop image, timely installation of security\n                   patches, documentation of laptop sanitization, and accounting for\n                   wireless networks. These weaknesses put laptops and the sensitive\n                   information stored and processed on them at risk of exploitation.\n                   Improvements are needed to address security risks and ensure the\n                   security of laptops and wireless networks and devices.\n\n                   We are making two recommendations to the Chief Administrative\n                   Officer and five recommendations to the Chief Information\n                   Officer. FEMA concurred with all of our recommendations and\n                   have begun to take actions to implement them. FEMA\xe2\x80\x99s responses\n                   are summarized and evaluated in the body of this report and\n                   included, in their entirety, as appendix B.\n\n\n\n\n         Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                          Page 1\n\x0cBackground\n                           FEMA coordinates the Federal Government\xe2\x80\x99s role in preparing for,\n                           preventing, mitigating the effects of, responding to, and recovering\n                           from all natural or manmade domestic disasters, including acts of\n                           terror. As of October 2011, FEMA had more than 7,400\n                           employees, who include a mix of full-time and part-time\n                           employees on standby for deployment after disasters. Employees\n                           are stationed at FEMA headquarters in Washington, DC; at\n                           regional and area offices across the country; and at the National\n                           Emergency Training Center in Emmitsburg, MD.\n\n                           To accomplish its mission, FEMA relies heavily on the use of\n                           laptop computers, which have grown in popularity across the\n                           Federal Government. As of October 2011, FEMA reported an\n                           inventory of more than 40,000 laptops across the enterprise.\n                           Although the mobility of laptops has increased the productivity of\n                           the Federal workforce, it has also increased the risk of theft and\n                           unauthorized disclosure of sensitive data.\n\n                           The use of wireless networks and devices (e.g., Institute of\n                           Electrical and Electronics Engineers 802.11x) is increasing\n                           throughout the Federal Government. 1 Wireless technologies are\n                           used to support FEMA\xe2\x80\x99s mission in a variety of ways at Joint Field\n                           Offices (JFOs), regional offices, and distribution centers. 2\n                           Wireless networks extend the range of wired networks by using\n                           radio waves to transmit data to wireless-enabled devices, such as\n                           mobile devices and laptops. Wireless technologies offer many\n                           potential benefits in improving employee productivity and\n                           flexibility. In addition, deploying wireless networks can provide\n                           tremendous cost savings compared with wired infrastructures.\n                           However, wireless networks and devices can also introduce\n                           significant security issues when they are not properly configured,\n                           such as eavesdropping, the need for physical protection of wireless\n                           devices, and unauthorized deployment of wireless access points.\n\n                           In June 2007, we reported deficiencies in configuration, patch, and\n                           inventory management controls over FEMA\xe2\x80\x99s government-issued\n                           laptops. 3 We found that sensitive information stored and\n                           processed on FEMA laptops might not have been protected\n\n1\n  The 802.11x (e.g., 802.11a, b, g, and n) standards developed by the Institute of Electrical and Electronics\n\nEngineers are frequently used for transmission specifications on wireless devices.\n\n2\n  A JFO is a temporary Federal multiagency coordination center established locally to facilitate field-level \n\ndomestic incident management activities related to prevention, preparedness, response, and recovery. \n\n3\n  Improved Administration Can Enhance Federal Emergency Management Agency Laptop Computer\nSecurity (OIG-07-50), June 2007.\n\n                Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                                    Page 2\n\x0c          properly. Specifically, we found that FEMA had not established\n          (1) effective processes to apply the domain security policy to its\n          laptops that met required minimum security settings, (2) effective\n          procedures to patch laptops, and (3) adequate laptop inventory\n          management procedures. We also determined that FEMA had an\n          incomplete and inaccurate laptop inventory. We were unable to\n          locate 26 of 242 (11percent) of a random selection of laptops.\n\n          The Operations Support Branch of the Office of the Chief\n          Information Officer (OCIO) is responsible for providing\n          information technology (IT) capabilities to FEMA and State and\n          local governments in support of the component\xe2\x80\x99s all-hazards\n          mission. The Operations Support Branch manages, operates, and\n          maintains FEMA\xe2\x80\x99s IT systems, networks, and services centers.\n          The Field Support Team within the Operations Support Branch\n          maintains a distribution warehouse, known as the Disaster\n          Information Systems Clearinghouse (DISC).\n\n          The DISC centralizes wireless network deployment in support of\n          local, regional, and field offices across the country. In addition,\n          the DISC serves as a centralized facility where selected laptops and\n          communications equipment are housed in preparation for a disaster,\n          shipped to JFOs once they are activated, and eventually returned\n          upon closure of the disaster. DISC laptops are stored in\n          ready-to-ship sets of 50 units each known as \xe2\x80\x9ckits,\xe2\x80\x9d as shown in\n          figure 1.\n\n\n\n\n          Figure 1: Kits upon arrival at the Albany Joint Field Office\n\n          In December 2010, the OCIO established the Enterprise Wireless\n          Local Area Network General Support System to provide wireless\n          local area network connectivity across FEMA and network\n          infrastructure resources to its end users. In addition, wireless\n          networks are deployed at 9 of 10 Regional Offices to grant public\n\n\n\nProgress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                 Page 3\n\x0c                          Internet access only (i.e., the FEMA Enterprise Network 4 is\n                          inaccessible) to Federal, State, local, tribal, and private sector\n                          partners during Regional Response Coordination Center\n                          activations. 5 JFOs, in comparison, are initially activated with a\n                          wireless network that grants users access to the FEMA Enterprise\n                          Network.\n\n                          FEMA centrally manages the authorization, deployment, security,\n                          and monitoring of wireless networks. The FEMA OCIO\n                          Authorizing Official tracks and authorizes wireless networks.\n                          Members of Disaster Response Teams at the DISC are responsible\n                          for deploying and securing wireless networks at JFOs. The JFO\n                          wireless networks follow a standardized deployment and security\n                          architecture, as shown in figure 2.\n\n\n\n\n                          Figure 2: Architecture for wireless local area network installation\n\n                          After deployment and throughout the rest of the life cycle, the\n                          FEMA Network Operations Center monitors wireless networks.\n                          The wireless networks at JFOs are either taken down when the site\n                          is deactivated or are replaced with a wired network when the site\n                          becomes a permanent office.\n\n\n\n\n4\n  All facets of FEMA\xe2\x80\x99s community use the FEMA Enterprise Network to transmit data between users, \n\nsystems, and applications; to connect to external agencies with which FEMA conducts business; and to \n\nprovide server infrastructure for applications and systems that support FEMA\xe2\x80\x99s mission.\n\n5\n  Regional offices activate their Regional Response Coordination Centers to serve as the main coordination\n\npoint between Federal agencies to support State and local governments with disaster response and recovery.\n\n\n               Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                                  Page 4\n\x0cResults of Audit\n\n     Actions Taken To Enhance Laptop and Wireless Security\n           FEMA has made progress in implementing management controls to\n           safeguard laptops through improved inventory maintenance. For example,\n           we selected 178 laptops at five sites to determine whether FEMA had\n           accurately recorded the laptop locations in its property management\n           system. We were able to locate all 178 laptops. This is an improvement\n           over the results from our prior audit. Table 1 summarizes the results of\n           our 2011 inventory evaluation.\n\n                                                   Laptops       Laptops      Percent\n            Location\n                                                   Selected      Located      Located\n            DISC                                      101           101         100%\n            Winchester, VA\n            Region 10 Headquarters                     8             8          100%\n            Bothell, WA\n            Mobile Emergency Response\n            Support Detachment                         19           19          100%\n            Bothell, WA\n            Joint Field Office                         29           29          100%\n            Albany, NY\n            Joint Field Office                         21           21          100%\n            New Orleans, LA\n            Total                                     178           178         100%\n           Table 1: Results of 2011 OIG Inventory Evaluation\n\n           FEMA has also implemented the following inventory controls:\n\n               \xe2\x80\xa2\t Issued the FEMA Personal Property Manual to establish a\n\n                  comprehensive framework to help manage and account for \n\n                  government property procured by FEMA;\n\n\n               \xe2\x80\xa2\t Captured more than 40,000 laptops in its automated property\n                  management system, the Logistics Information Management\n                  System (LIMS); and\n\n               \xe2\x80\xa2\t Conducted comprehensive annual reviews of accountable property,\n                  including laptops, as specified in the FEMA Personal Property\n                  Manual.\n\n\n\n\n         Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                          Page 5\n\x0c                  In addition, FEMA has implemented the following technical controls to\n                  safeguard the information stored on and processed by its laptops and\n                  wireless networks:\n\n                       \xe2\x80\xa2\t FEMA centrally manages the configuration and patch management\n                          process on laptops using a combination of controls, including a\n                          FEMA-developed password management solution and third-party\n                          vulnerability management software. In addition, FEMA has\n                          deployed standardized images on its laptops. A standardized\n                          image can help to establish a consistent baseline implementation of\n                          configuration controls across the enterprise.\n\n                       \xe2\x80\xa2\t The Chief Information Officer approved a standardized Windows 7\n                          image on March 30, 2011. FEMA began to deploy the new image\n                          in November 2011. As of January 2012, 300 laptops with the\n                          Windows 7 image had been shipped from the DISC to two sites.\n\n                       \xe2\x80\xa2\t The OCIO has developed standard operating procedures for\n                          sanitizing its laptops to ensure that sensitive information is not\n                          recoverable when laptops are transferred, become obsolete, or are\n                          no longer usable.\n\n                       \xe2\x80\xa2\t Wireless signals are not broadcasting beyond the perimeter of\n                          buildings at the sites visited, as FEMA has deployed wireless\n                          access points strategically to minimize signal leakage and potential\n                          unauthorized access. Further, we identified no rogue or\n                          unauthorized wireless networks or devices with access to the\n                          FEMA Enterprise Network. 6 Wireless access points are\n                          configured not to broadcast extended service set identifiers to\n                          avoid advertising wireless networks\xe2\x80\x99 identities and functions to\n                          potential attackers. 7\n\n                       \xe2\x80\xa2\t Virtual private network software is required to be installed on\n                          laptops before users can connect to wireless networks. Secure\n                          connections are established through an encrypted virtual private\n                          network tunnel using either one-factor or two-factor authentication.\n\n                       \xe2\x80\xa2\t FEMA employs wireless intrusion protection systems to monitor\n                          and detect malicious behavior on its Enterprise Wireless Local\n                          Area Network.\n\n\n\n6\n  We used AirMagnet software to scan for unauthorized wireless networks and to detect signal leakage at \n\nfour sites: the DISC, Region 10 headquarters, Albany JFO, and New Orleans JFO.\n\n7\n  An extended service set identifier is used to identify a wireless network to client devices, as specified in\n\nthe Institute of Electrical and Electronics Engineers standards for 802.11x wireless networks.\n\n\n                Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                                     Page 6\n\x0c      Although FEMA has taken actions to strengthen its inventory and\n      configuration management controls, improvements are needed to ensure\n      the security of its laptop computers and wireless networks and devices.\n      Specifically, FEMA must address remaining weaknesses in the\n      component-wide adoption of LIMS, reporting of lost and stolen laptops,\n      implementation of hard drive encryption, use of a standardized operating\n      system image, timely installation of security patches, documentation of\n      laptop sanitization, and accounting for wireless networks.\n\nLaptop Inventory Management Controls Need Strengthening\n      Although FEMA has made progress in strengthening the inventory\n      management process for its laptop computers, it can make further\n      improvements by implementing additional inventory management\n      controls. Specifically, FEMA needs to account for all laptops in LIMS\n      and ensure that lost or stolen laptops are reported to the Department as\n      security incidents. These weaknesses hinder FEMA\xe2\x80\x99s ability to quickly\n      distribute laptops in response to an emergency declaration and may\n      prevent management from taking appropriate corrective actions in\n      response to the loss or theft of laptop computers.\n\n              FEMA Is Not Accounting for All Laptops in LIMS\n\n              Some FEMA offices are not properly accounting for laptop\n              computers in LIMS. While evaluating incidents of lost and stolen\n              laptops, we found that 13 government-purchased laptops were\n              reported missing to the Department of Homeland Security\xe2\x80\x99s\n              Enterprise Operations Center (DHS EOC) in 2011. However, 3 of\n              these 13 laptops had never been accounted for in LIMS. The\n              discrepancy exists because the Facilities Management Division\n              (FMD) does not have the component-wide management support\n              needed to ensure that LIMS is used to account for all government\n              property. An FMD official told us that some FEMA offices choose\n              to procure laptops and not record their purchase in LIMS.\n\n              The FEMA Personal Property Manual requires the use of LIMS to\n              account for all government accountable property. Further, DHS\n              requires components to establish and maintain an accurate\n              information systems inventory. When laptops are not properly\n              accounted for, FEMA officials do not have a complete and\n              accurate inventory of their disaster response equipment. This\n              hinders FEMA\xe2\x80\x99s ability to facilitate the distribution of laptops\n              needed to manage response and recovery efforts following a\n              disaster. It also creates an opportunity for theft and fraud, as\n              offices have property that is not subject to inventory reviews.\n\n\n    Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                     Page 7\n\x0c                       Lost or Stolen Laptops Are Not Reported Consistently\n\n                       Lost or stolen laptops are not being reported consistently to the\n                       DHS EOC as security incidents. FEMA requires a Report of\n                       Survey to be completed whenever a laptop is lost, stolen, damaged,\n                       or destroyed. In 2011, 60 Reports of Survey were completed for\n                       242 laptops. However, FEMA could not determine how many of\n                       these 242 laptops were lost or stolen. FMD estimated that 95\n                       percent were lost or stolen and 5 percent were damaged or\n                       destroyed. By this estimate, approximately 230 laptops should\n                       have been reported as lost or stolen to the DHS EOC as security\n                       incidents. However, FEMA reported only 13 lost or stolen laptops\n                       to the DHS EOC in 2011. This is an indicator that FEMA cannot\n                       account for all of its laptops and does not comply with DHS\n                       security incident reporting requirements. As a result, FEMA and\n                       DHS may have underreported FEMA\xe2\x80\x99s security incidents in the\n                       Department\xe2\x80\x99s fiscal year 2011 Federal Information Security\n                       Management Act submission.\n\n                       FMD was able only to estimate how many laptops were lost or\n                       stolen versus damaged or destroyed because LIMS users do not\n                       properly populate fields in LIMS to record this information. FMD\n                       must then rely on hard copies of Reports of Survey to obtain more\n                       detail about a specific incident. In 2007, we reported that FEMA\n                       identified 58 lost or stolen laptops between January 2005 and\n                       September 2006. 8 We noted that these incidents were reported to\n                       FEMA headquarters but not to the DHS Computer Security\n                       Incident Response Center, which is now part of the DHS EOC.\n\n                       DHS requires components to report significant incidents to the\n                       DHS EOC no later than 1 hour after the security event is confirmed\n                       as an incident. Minor incidents must be reported to the DHS EOC\n                       in a weekly incident report. However, the Report of Survey\n                       procedures as outlined in the FEMA Personal Property Manual, as\n                       well as the instructions on the Report of Survey itself, do not\n                       address the requirement to report the loss of sensitive personal\n                       property, such as laptops, to the DHS EOC.\n\n                       Not reporting the loss or theft of laptops to the DHS EOC prevents\n                       FEMA from taking appropriate corrective actions in response to\n                       the loss or theft of a laptop. Also, it limits senior officials\xe2\x80\x99\n                       knowledge of the extent of laptop security issues.\n\n\n8\n Improved Administration Can Enhance Federal Emergency Management Agency Laptop Computer\nSecurity (OIG-07-50), June 2007.\n\n             Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n\n                                              Page 8\n\n\x0c     Recommendations\n             We recommend that the Chief Administrative Officer:\n\n             Recommendation #1: Implement appropriate management\n             controls to ensure that all government-purchased laptops are\n             accounted for in LIMS in accordance with applicable policy.\n\n             Recommendation #2: Work with the Chief Information Officer\n             to establish a process to ensure that the loss or theft of laptops are\n             reported timely as security incidents to the DHS EOC.\n\n     Management Comments and OIG Analysis\n             FEMA concurred with recommendation 1. The Chief\n             Administrative Officer will put measures into place to ensure that\n             unaccounted-for laptops discovered in LIMS are escalated as an\n             issue and addressed in compliance with policy. Further,\n             compliance will be evaluated in July 2012 once an annual\n             inventory review is completed.\n\n             We agree that the steps FEMA plans to take begin to satisfy this\n             recommendation. This recommendation will remain open until\n             FEMA provides documentation to support that all planned\n             corrective actions are completed.\n\n             FEMA concurred with recommendation 2. The Chief\n             Administrative Officer will put measures in place to ensure that\n             accountable property reported as missing during inventories is\n             reconciled with the incident reports received by the FEMA\n             Security Operations Center. Instances of missing laptops will be\n             escalated and appropriately addressed. Compliance with policy\n             will be evaluated when the annual inventory review is performed\n             in July 2012.\n\n             We agree that the steps FEMA plans to take begin to satisfy this\n             recommendation. This recommendation will remain open until\n             FEMA provides documentation to support that missing laptops are\n             reported timely as security incidents to the DHS EOC.\n\nImprovements Needed on Laptop Security Management\n     FEMA has not implemented all required controls on its Windows XP\n     laptops to prevent unauthorized access. Nor has FEMA encrypted the\n     hard drives to protect sensitive data stored on its laptops. Finally, some of\n\n\n   Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                    Page 9\n\x0c                 the sites we visited are not following documented sanitization procedures\n                 to reimage, reissue, or transfer laptops.\n\n                 To evaluate FEMA\xe2\x80\x99s patch management process, we performed\n                 vulnerability scans on 116 laptops at four regional offices and one JFO to\n                 determine if security patches were deployed timely to mitigate software\n                 vulnerabilities. In addition, we evaluated the compliance with applicable\n                 United States Government Configuration Baseline (USGCB) and DHS\n                 required settings on 73 laptops.\n\n                          FEMA Has Not Encrypted All of Its Laptops\n\n                          FEMA has not encrypted all of its laptop hard drives to protect its\n                          sensitive information from unauthorized access. FEMA encrypts\n                          the entire laptop hard drive according to DHS requirements to\n                          prevent operating system controls from being circumvented and to\n                          restrict access to the information stored on the hard drive. However,\n                          as of January 2012, only 7,956 (20 percent) of its 40,130 laptop\n                          hard drives are encrypted. FEMA expects all laptop hard drives to\n                          be encrypted by April 2012. DHS requires that laptops be\n                          encrypted according to National Security Agency requirements.\n                          Additionally, electronic data must be encrypted using at least 256\xc2\xad\n                          bit Advanced Encryption Standard according to Federal\n                          Information Processing Standards. 9\n\n                          In 2011, 60 Reports of Survey were completed for 242 laptops that\n                          were lost, stolen, damaged, or destroyed. If the hard drive for any\n                          of these laptops was not encrypted, sensitive information stored\n                          would be accessible by circumventing other technical controls.\n                          We reported in June 2007 that we were able to access all the\n                          information stored on an unencrypted FEMA laptop. 10\n\n                          Laptop Images Are Not Standardized\n\n                          FEMA has not configured its laptop computers with all USGCB\n                          settings. We determined that the standard Windows XP baseline\n                          image complies with 92 percent of USGCB controls. However,\n                          our scan results revealed that Windows XP laptops in the field are\n                          not being configured with this standard image. In comparison,\n                          Windows 7 laptops are consistently compliant with most USGCB\n                          controls. As figure 3 shows, our scan results from a selection of\n\n\n9\n  Federal Information Processing Standard 197 details the Advanced Encryption Standard, a cryptographic\nalgorithm that can be used to protect electronic data.\n10\n   Improved Administration Can Enhance Federal Emergency Management Agency Laptop Computer\nSecurity (OIG-07-50), June 2007.\n\n               Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                                Page 10\n\x0c                             laptops revealed an average of 55 percent Windows XP\n                             compliance and 92 percent Windows 7 compliance.\n\n\n\n\n                             Figure 3: Windows 7 and Windows XP USGCB compliance\n\n                             We identified the following examples of noncompliance with\n                             USGCB requirements:\n\n                                 \xe2\x80\xa2\t Administrative rights are granted automatically when users\n                                    log in through the Windows recovery console. 11 Granting\n                                    administrative rights automatically when using the recovery\n                                    console increases the risk of unauthorized access and\n                                    allows system controls to be circumvented.\n\n                                 \xe2\x80\xa2\t Default administrator accounts on laptops have not been\n                                    renamed or disabled. When Windows is installed, it\n                                    configures several built-in accounts by default, such as an\n                                    administrator account. Default administrator accounts\n                                    provide attackers with a known user that has elevated\n                                    permissions to access information stored locally on the\n                                    laptop.\n\n                                 \xe2\x80\xa2\t Password-protected screen savers are not used to secure\n                                    unattended computers after a period of inactivity. Without\n                                    screen saver passwords, a malicious user may log into an\n                                    unattended laptop to gain unauthorized access to FEMA\n                                    information.\n\n                             The discrepancy between Windows XP and Windows 7 compliance\n                             exists because Windows XP laptops lack the policy that enforces\n                             these settings throughout the FEMA domain. As a result,\n\n\n11\n     The recovery console is used primarily to repair damaged installations of Windows.\n\n                  Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                                   Page 11\n\x0c                          compliance with USGCB settings on Windows XP laptops varies\n                          greatly throughout FEMA.\n\n                          The Federal Information Security Management Act of 2002\n                          requires agencies to apply configuration management principles to\n                          Federal information systems, including hardware, software, and\n                          standardized configuration settings. 12 In September 2010, the\n                          Chief Information Officer Council approved USGCB settings\n                          required for Windows 7 in addition to those previously specified\n                          for Windows XP. 13\n\n                          Without proper USGCB controls in place, sensitive information\n                          stored on FEMA laptops could be subject to potential exploits.\n                          Additionally, a compromised laptop could provide unauthorized\n                          access to the FEMA network. Fully implementing a standard\n                          configuration across the component will reduce the risk that\n                          sensitive information may be exposed.\n\n                          Security Patches Are Not Applied to Laptops Timely\n\n                          FEMA is not effectively deploying security patches to its laptops.\n                          Our vulnerability scans identified missing security patches, such as\n                          a July 2007 patch for Microsoft Visio that could allow arbitrary\n                          remote code execution. Arbitrary remote code execution would\n                          allow unauthorized users to take over control of a laptop. Other\n                          examples of missing security patches include Adobe Acrobat, Java,\n                          Adobe Flash Player, Microsoft patch bulletins, Adobe Air, and\n                          Web browsers. Figure 4 shows the percentage of scanned laptops\n                          with at least one detected instance of a known high-risk\n                          vulnerability.\n\n\n\n\n12\n   Congress enacted Title III of the E-Government Act of 2002 (Public Law 107-347, Sections 301\xe2\x80\x93305) to\nimprove security within the Federal Government. Title III of the E-Government Act, entitled the Federal\nInformation Security Management Act, provides a comprehensive framework to ensure the effectiveness of\nsecurity controls over information resources that support Federal operations and assets.\n13\n   Office of Management and Budget 07-11 required that agencies running Windows XP adopt the settings\noutlined in the Federal Desktop Core Configuration no later than February 1, 2008. In September 2010, the\nUSGCB replaced the Federal Desktop Core Configuration as the baseline for configuration requirements.\n\n               Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                                Page 12\n\x0c          Figure 4: Percentage of laptops with known application vulnerabilities\n\n          FEMA uses a centralized third-party software solution to deploy\n          patches to systems throughout the enterprise. The current process\n          requires security patches to be approved and sent to servers at\n          regional offices to deploy locally. Local administrators are then\n          notified to deploy patches to the systems at their site. An OCIO\n          representative explained that patches may not be deployed timely\n          because of delays between the time patches are sent to onsite\n          servers and when they are applied to local systems.\n\n          DHS requires components to reduce system vulnerabilities by\n          promptly installing security and software patches. Security\n          patches are required to protect systems from potential exploits and\n          vulnerabilities as they are discovered. The DHS EOC releases\n          vulnerability management messages to alert components to\n          security patches. The messages direct users of the timeframe in\n          which a security patch should be applied.\n\n          Failure to install software patches could expose FEMA laptops to\n          risk, depending on the severity of the vulnerability identified.\n          Malicious emails can trick users into visiting a Web page or\n          opening files designed to exploit vulnerabilities in software\n          installed on laptops. Ensuring that software is up to date\n          minimizes this risk and protects laptops and the sensitive\n          information they process and store.\n\n          FEMA Password Policy Is Not Enforced for Local Users\n\n          FEMA local administrator accounts are not configured to comply\n          with DHS password policy. Weak password controls are\n          configured on laptops, resulting in easily guessed passwords on\n\nProgress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                Page 13\n\x0c                           local accounts. Specifically, Active Directory has not been\n                           configured to remember any of the previous passwords used,\n                           require local passwords to be changed every 180 days, and require\n                           password complexity. Additionally, local accounts are being\n                           shared among onsite administrators. Weak password controls may\n                           allow malicious users to gain unauthorized access to sensitive\n                           information stored on laptops.\n\n                           Although FEMA has configured Active Directory controls that are\n                           applied to all users, these controls do not adhere to DHS password\n                           requirements. Instead, FEMA uses the National Emergency\n                           Management Information System Access Control System (NACS),\n                           an in-house developed software tool, to enforce user password\n                           settings. Although password controls enforced through NACS\n                           apply to all domain accounts, this policy does not apply to local\n                           accounts on FEMA laptops. Since local administrator accounts\n                           receive only the Active Directory settings and not the stronger\n                           NACS controls, these accounts may have weak passwords.\n\n                           DHS requires users to change their passwords every 90 days to\n                           prevent users from gaining unauthorized access. DHS also\n                           requires accounts to be assigned to one user and not shared among\n                           personnel. Additionally, USGCB policy states that password\n                           complexity must be enabled and account history set to remember\n                           the last 24 passwords used.\n\n                           Weak password controls can result in a compromised administrator\n                           account. FEMA information stored on a laptop with a\n                           compromised local administrator account could be exposed to\n                           unnecessary risk. Additionally, since these accounts do not belong\n                           to a single person, audit trails cannot be used to identify who\n                           accessed information stored on a laptop.\n\n                           Laptop Sanitization Is Not Consistently Documented\n\n                           Laptop sanitization is not being consistently documented at the\n                           sites visited. 14 Specifically, these sites do not document execution\n                           of this process and certify the completion of sanitization according\n                           to FEMA policy. When laptop sanitization is not performed and\n                           documented consistently, FEMA cannot ensure that unauthorized\n                           users cannot recover deleted data from the hard drives.\n\n\n\n\n14\n  Sanitization refers to the process of removing and erasing data from storage media such that there is\nreasonable assurance that the data may not be easily retrieved and reconstructed.\n\n               Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                                  Page 14\n\x0c          For example, although laptop sanitization is being performed and\n          documented at the DISC, Bothell Mobile Emergency Response\n          Support (MERS) Detachment, and New Orleans JFO, the process\n          is not recorded at the FEMA Region 10 headquarters or Albany\n          JFO. In addition, a locally developed form is used to document\n          laptop sanitization at the DISC, Bothell MERS Detachment, and\n          New Orleans JFO, instead of the required OCIO certification. We\n          also determined that the forms developed at these sites do not\n          contain all the required information, such as date, sanitization\n          method used, and name of the Property Custodian.\n\n          In November 2010, the Administrator issued Directive #137-2,\n          which requires documentation of laptop sanitization and includes a\n          Sanitization Certification Form for use in meeting the requirement.\n          In addition, it specifies that no electronic media will be issued,\n          transferred, disposed of, or returned to vendors or manufacturers\n          without being sanitized to the standards of this Directive.\n\n          DHS requires components to maintain records of the sanitization\n          and disposition of information systems storage media. In addition,\n          FEMA requires the Property Custodian and Enterprise Service\n          Desk/Local IT Site Support to complete the Sanitization\n          Certification Form included in the media sanitization and release\n          directive when a laptop is sanitized. The National Institute of\n          Standards and Technology recommends that agencies sanitize\n          digital media using approved equipment and procedures. In\n          addition, agencies should track, document, and verify media\n          sanitization and destruction actions and periodically test\n          sanitization equipment and procedures to ensure correct\n          performance.\n\n          According to FEMA personnel, they do not document laptop\n          sanitization according to OCIO requirements because the OCIO\n          has not informed offices of the media sanitization procedures\n          issued in November 2010. Further, the OCIO does not verify\n          whether offices comply with the media sanitization requirements.\n\n          Without documenting media sanitization, FEMA cannot verify that\n          a laptop has been sanitized, and deleted data cannot be easily\n          recovered. As a result, there is greater risk of mistakenly disposing\n          of or reassigning a laptop that has not been wiped of sensitive\n          information. This may compromise the confidentiality of\n          information on the laptop, especially if the laptop is unencrypted.\n\n\n\n\nProgress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                Page 15\n\x0c  Recommendations\n          We recommend that the Chief Information Officer:\n\n          Recommendation #3: Accelerate the implementation schedule to\n          deploy full hard drive encryption for all laptops to prevent\n          unauthorized access to information.\n\n          Recommendation #4: Ensure that all required USGCB\n          configuration settings are implemented on FEMA laptops.\n\n          Recommendation #5: Ensure that security and software patches\n          are deployed in a timely manner to all FEMA laptops.\n\n          Recommendation #6: Implement appropriate management\n          controls to ensure that laptop sanitization procedures, including\n          documentation, are followed at all FEMA facilities.\n\n  Management Comments and OIG Analysis\n          FEMA concurred with recommendation 3. The Chief Information\n          Officer has accelerated the upgrade of all laptops from Windows\n          XP to a Windows 7 image that includes hard drive encryption\n          software. The estimated completion date of the upgrade and\n          implementation of hard drive encryption is November 2012.\n\n          We agree that the steps FEMA has taken and plans to take begin to\n          satisfy this recommendation. This recommendation will remain\n          open until FEMA provides documentation to support that all\n          planned corrective actions are completed.\n\n          FEMA concurred with recommendation 4. FEMA stated that the\n          required USGCB configuration settings had been implemented on\n          all Windows laptops, and asked that this recommendation be\n          closed.\n\n          During our audit, scan results revealed that Windows 7 laptops are\n          consistently compliant with most USGCB controls. However, we\n          also found that Windows XP laptops in the field are not being\n          configured with this standard image. We agree that FEMA will\n          improve the compliance of USGCB settings when all laptops are\n          upgraded to the Windows 7 image. This recommendation will\n          remain open until FEMA provides documentation to support that\n          all planned corrective actions are completed or the implementation\n          of USGCB settings is verified through security testing.\n\n\nProgress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                Page 16\n\x0c              FEMA concurred with recommendation 5. The Chief Information\n              Officer has begun replacing current patch management solutions\n              with an agency-wide centralized patching mechanism. The new\n              patching mechanism will be fully deployed by September 2012.\n\n              We agree that the steps FEMA has taken and plans to take begin to\n              satisfy this recommendation. This recommendation will remain\n              open until FEMA provides documentation to support that all\n              planned corrective actions are completed.\n\n              FEMA concurred with recommendation 6. The Chief Information\n              Officer will improve the awareness of FEMA\xe2\x80\x99s Electronic and\n              Hard Copy Media Sanitization and Release standard operating\n              procedure and establish a process to monitor its enforcement by\n              July 2012. The standard operating procedure requires the use of\n              FEMA Form 137-1-1 to certify sanitization.\n\n              We agree that the steps FEMA plans to take begin to satisfy this\n              recommendation. This recommendation will remain open until\n              FEMA provides documentation to support that all planned\n              corrective actions are completed.\n\nPerforming Assessments Can Enhance Wireless Security\n      FEMA can enhance its wireless security by assessing the associated risks\n      and the effectiveness of controls implemented to protect the data stored on\n      and processed by its wireless networks and devices. When these\n      assessments are not performed, there is greater risk that security controls\n      implemented to protect FEMA\xe2\x80\x99s wireless networks can be circumvented.\n\n              The Risks of JFO Wireless Networks Have Not Been Assessed\n\n              FEMA has not performed risk assessments on its wireless networks\n              at JFOs, as they are not included as part of the authorization\n              boundary of any information systems. The use of sensitive wireless\n              systems is approved by the OCIO, but JFOs are not included as part\n              of any FEMA General Support System or major application, as\n              required by DHS\xe2\x80\x99 system inventory methodology. As a result, the\n              Authorizing Official does not have the most updated information to\n              make credible risk-based decisions regarding the system.\n\n              The OCIO is aware that the JFOs are not accounted for in any\n              recognized IT system. According to the OCIO, JFO wireless\n              networks will eventually be included in the Enterprise Wireless\n              Local Area Network system boundary. However, the process of\n              formally accounting for them will take some time. As of\n\n    Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                    Page 17\n\x0c          January 2012, the Enterprise Wireless Local Area Network has not\n          received a full Authority to Operate, and the current system\n          boundary includes only wireless networks deployed at distribution\n          centers, not JFOs. The OCIO did not provide an expected date for\n          granting the full Authority to Operate or for adding JFO wireless\n          networks to the system boundary.\n\n          DHS requires that all IT assets be itemized and accounted for as\n          part of a General Support System or Major Application. The use\n          of wireless communications technologies is prohibited until it is\n          approved by the appropriate Authorizing Official. Further,\n          Authorizing Officials must approve the implementation and use of\n          wireless systems at a specified risk level during the assessment and\n          authorization process. Finally, appropriate and effective security\n          measures are to be included in the System Security Plan.\n\n          As of January 2012, 56 JFOs were activated across the country.\n          Including JFOs in recognized IT systems will help to ensure that\n          the systems are tracked and secured as required by DHS. Further,\n          the OCIO will be kept informed of risks associated with each\n          wireless system.\n\n          Annual Security Assessments Have Not Been Performed for\n          JFO Wireless Networks\n\n          FEMA has not performed annual security assessments on all of its\n          JFO wireless networks as required by DHS. For example, the New\n          Orleans JFO wireless network has not undergone a security\n          assessment since the office was established in October 2005. JFO\n          personnel said that they were not aware of the requirement to\n          perform security assessments on wireless networks. The OCIO\n          confirmed that assessments had yet to be performed.\n\n          According to the OCIO, since FEMA does not include JFO\n          wireless networks in the boundary of any recognized IT system,\n          annual wireless assessments are not required. However, the\n          Network Operations Center does monitor the hardware that\n          operates FEMA\xe2\x80\x99s wireless networks.\n\n          DHS requires that security assessments be conducted annually on\n          all approved wireless systems. Wireless security assessments\n          result in the ability to enumerate vulnerabilities, risk statements,\n          risk levels, and corrective actions. The Information Systems\n          Security Officer is required to perform a risk assessment\n          periodically or when a major change is made that affects the\n          overall system security posture.\n\nProgress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n\n                                Page 18\n\n\x0c          Since annual wireless security assessments have not been\n          performed, FEMA may not be aware of vulnerabilities that may\n          lead to potential exploits. Routine security assessments can be\n          used to identify rogue or unauthorized access points, backdoors,\n          and other system vulnerabilities, as well as to enumerate\n          vulnerabilities, levels of risk, and corrective actions. Further, risk\n          mitigation plans prioritize corrective actions and implementation\n          milestones in accordance with defined risk levels.\n\n  Recommendation\n          We recommend that the Chief Information Officer:\n\n          Recommendation #7: Account for all wireless networks within a\n          recognized IT system and implement management controls to\n          ensure that annual wireless security assessments are conducted.\n\n  Management Comments and OIG Analysis\n          FEMA concurred with recommendation 7. The Chief Information\n          Officer will require that all wireless networks and devices be\n          enrolled into the FEMA Network Operations Center for\n          management and monitoring. In addition, the Chief Information\n          Security Officer will establish controls to ensure that wireless\n          security assessments are conducted annually. These efforts are\n          expected to be completed by September 2012.\n\n          We agree that the steps FEMA plans to take begin to satisfy this\n          recommendation. This recommendation will remain open until\n          FEMA provides documentation to support that planned corrective\n          actions are completed and all wireless networks are accounted for\n          within a recognized IT system.\n\n\n\n\nProgress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                Page 19\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                     The objective of our audit was to determine whether FEMA has\n                     implemented effective controls to protect its laptop computers and\n                     the sensitive data processed by its wireless networks and devices\n                     from potential exploits. Specifically, we determined whether\n                     FEMA has (1) implemented an effective inventory management\n                     process to safeguard its laptop computers, (2) implemented\n                     effective configuration management controls to protect its laptop\n                     computers, (3) implemented effective controls to ensure that\n                     sensitive information processed by its wireless networks and\n                     devices is protected from potential exploits, and (4) taken\n                     corrective actions to mitigate the findings cited in our prior audit\n                     reports, OIG-07-50 and OIG-08-14 (SECRET).\n\n                     Our audit focused on requirements outlined in the DHS Sensitive\n                     Systems Handbook 4300A, United States Government\n                     Configuration Baseline, DHS Windows XP Secure Baseline\n                     Configuration Guide, DHS Windows 7/Internet Explorer 8\n                     Configuration Guidance, and FEMA Personal Property Manual\n                     119-7-1. We interviewed selected personnel and management\n                     officials in the Support Services and Facilities Management\n                     Division of the Office of the Chief Administrative Officer, IT\n                     Security Branch and Operations Support Branch of the Office of\n                     the Chief Information Officer, the Logistics Management\n                     Directorate of the Office of Response and Recovery, as well as\n                     personnel stationed at JFOs. Fieldwork was performed at the\n                     DISC in Winchester, VA; FEMA JFO in Albany, NY; FEMA JFO\n                     in New Orleans, LA; MERS Detachment in Bothell, WA; FEMA\n                     Region 10 headquarters in Bothell, WA; and FEMA headquarters\n                     in Washington, DC.\n\n                     We reviewed FEMA inventory maintenance policies and\n                     procedures, employee exit processing procedures, access rights to\n                     LIMS, laptop sanitization procedures, laptop distribution\n                     procedures, laptop configuration and patch management plans, and\n                     wireless network security policy. In addition, we conducted\n                     vulnerability and USGCB compliance scans of Windows XP and\n                     Windows 7 laptop images on a random selection of 116 deployed\n                     laptops. We conducted testing to identify unauthorized wireless\n                     networks and signal leakage and performed an inventory\n                     evaluation of a random selection of 178 laptops. The laptops\n                     identified for our inventory evaluation were randomly selected\n                     from LIMS once we judgmentally identified locations for our site\n                     visits based on the concentration of laptops and use of wireless\n                     networks. The laptops identified for scans were randomly selected\n\n\n           Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                           Page 20\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                     from four regional offices and one JFO, including from sites we\n                     visited.\n\n                     We conducted this performance audit between September 2011\n                     and January 2012 pursuant to the Inspector General Act of 1978, as\n                     amended, and according to generally accepted government\n                     auditing standards. Those standards require that we plan and\n                     perform the audit to obtain sufficient, appropriate evidence to\n                     provide a reasonable basis for our findings and conclusions based\n                     upon our audit objectives. We believe that the evidence obtained\n                     provides a reasonable basis for our findings and conclusions based\n                     upon our audit objectives. Major OIG contributors to the audit are\n                     identified in appendix C.\n\n                     The principal OIG point of contact for the audit is\n                     Frank W. Deffer, Assistant Inspector General, Information\n                     Technology Audits, at (202) 254-4100.\n\n\n\n\n           Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                           Page 21\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n                                                                               U.S. Department or lI omcland Stc urll)\'\n                                                                               Washillj;10n, D.C. 20-172\n\n\n\n\n                                                                  8 ; FEMA\n                                          ~y   11 1011\n\n        MEMORANDUM FOR: Charles K. Edwards\n                        Acting Inspector General\n                        Department of Homeland Security\n\n        FROM:                     D?vid J. Kaufinan\n                                  DIrector\n                                                     /.JZ\n                                                   /l\'L----\n                                  Office of Policy and Program Analysis\n\n        SUBJECT:                  OIG Draft Report : Progress Nas Beell Made iI/ Securing Laptops 1I11d\n                                  Wireless Networks lit F\xc2\xa3MA - For Official Use Only\n                                  OIG Project No. II-IS I-ITA-FEMA\n\n\n        The Federal Emergency Management Agency (FEMA) appreciates the Department of Homeland\n        Security (DHS) Office of the Inspector Genera l\'s cvaluation of our laptop scc\\lrity controls and\n        wireless networks. The evaluation has been very helpful in identifying areas requiring improvement\n        and prioritizing work to implement the recommendations.\n\n        FEMA concurs with the auditor\'s recommendations in the above referenced dran report. The\n        FEMA Office of the Chief Infonnation Officcr (OC IO) is resolute in dirccting these audit\n        recommendations be effect ively implemented. Plans of Action and Milestones (POA&Ms) are\n        being developed to ensure thc recommendations are implemented in a timely manner. FEMA\'s\n        OCIO Audit Remediation Team meets w(."Ckly with Action Officers to review the status of planned\n        remediation milestones and address issues that are impeding progress. Branch Chiefs receive\n        weekly reports reflecting the status of their organization \'s assigned actions and are working to\n        correct findings. Implementation of corrective actions is a perfonnance goal for each Branch Chief\n        in thc OC IO.\n\n        In reviewing the report, we noted that the number oflaptops reported as lost or stolcn was incorrect\n        on page S. The number should be changed from 13 to 25. Attachment J lists the related security\n        incidents.\n\n        Regarding your recommendations, FEMA \'s response to each fo llows:\n\n        Reco mmendation # 1: Implement appropriate management controls to ensure that all government\xc2\xb7\n        purchased laptops arc accounted for in the Logistics Information Management System (L1MS) in\n        accordance with appl icab le policy.\n\n        Response: FEMA Manual J 19\xc2\xb77-1. PerSQllal Property (Attachment 2), has establi shed standards\n        regarding accounting for laptops in L1 MS. Propeny Management Omcers (rMO) and Accountable\n        Property Officers (APO) are requin.-d to fo llow this Manual. Confercnce calls with PMOs and APOs\n\n\n\n\n            Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n\n                                                     Page 22\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n        are routinely held that stress the importance of property accountability. Measures will be put in\n        place to ensure that any discovery of laptops not being accounted for in LIMS is escalated to ensure\n        that non-compliance is appropriately addressed. Policy regarding this control is already established.\n        Compliance with policy wi1l be tested in July after the annual inventory is completed.\n\n        This recommendation wi1l remain open until it is tested and found to be effective. The expected\n        completion date is July 2012.\n\n        Recommendation #2: Work with the Chief lnfonnation Officer to establish a process to ensure that\n        the loss or theft oflaptops is reported timely as security incidents to the DHS EOC .\n\n        Response: The FEMA Security Team aggressively investigates all reports of stolen laptops and\n        other computer equipment. The Rules of Behavior (Attachment 3) that users sign when issued\n        accountable property includes the requirement to report lost of stolen property to the FEMA Security\n        Operations Center (SOC). Measures will be put in place to ensure that accountable property\n        reported as missing during inventories are reconciled with the incident reports received by the SOC\n        to ensure that the missing property was reported to the SOC promptly upon discovery. Instances\n        where the incident was not reported wi1l be escalated and appropriately addressed. Policy regarding\n        this control is already established. Compliance with policy will be tested in July after the annual\n        inventory is completed.\n\n        This recommendation will remain open until it is tested and found to be effective. The expected\n        completion date is July 2012.\n\n        Recommendation #3: Accelerate the implementation schedule to deploy full hard drive encryption\n        for all laptops to prevent unauthorized access infonnation.\n\n        Response: Accelerating the upgrade from Windows XP to the current Windows 7 image would\n        satisfy this requirement because the WinMagic agent is included on this image. The established\n        timeline for completing this upgrade is November 30, 2012.\n\n        This recorrunendation is considered resolved and open until the upgrade is completed.\n\n        Recommendation #4: Ensure that all required USGCB configuration settings are implemented on\n        FEMA laptops.\n\n        Respoose: All Windows laptops meet required USGCB configuration settings at this time.\n\n        FEMA requests that this recommendation be resolved and closed.\n\n        Recommendadon #5: Ensure that security and software patches are deployed in a timely manner to\n        all FEMA laptops.\n\n        Respoose: Patchlink and Windows SetVer Update Services (WSUS) are being phased out; Altiris,\n        the centralized patching mechanism, will be fully deployed by September 30, 2012 provided receipt\n        offollow-on funding. Agency-wide implementation of Altins will correct this issue.\n\n\n                                                          2\n\n\n\n\n            Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n\n                                                     Page 23\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n        FEMA considers this recommendation resolved and open until implementation of the above action.\n\n        Recommendation #6: Implement appropriate management controls to ensure that laptop\n        sanitization procedures, including documentation, are fonowed at all FEMA facilities.\n\n        RespoDse: Electronic and Hard Copy Media Sanitization and Release Standard Operating\n        Procedure (SOP) standardizes the media sanitization process to include the usage of FEMA Fonn\n        137-1-1 to certify. The SOP was signed and published September 2, 2011 and is included as\n        Attaclunent 4. The OCIO will re-socialize this SOP FEMA-wide and establish a process to monitor\n        its enforcement by July 31, 2012. To address the issue on password policy not being enforced for\n        local users described in the report, FEMA will update its group policy to address the password\n        vulnerabilities. This action is planned for completion by June 30, 2012.\n\n        FEMA considers this recommendation resolved and open until implementation of the above action.\n\n        RecommendatioD #7: Account for all wireless networks within a recognized IT system and\n        implement management controls to ensure that annual wireless security assessments are conducted.\n\n        RespoDse: The CIa is requiring that all wireless devices/networks be enrolled into the FEMA\n        Network Operations Center for management and monitoring. The Chief Infonnation Security\n        Officer will establish controls to ensure that wireless security assessments are conducted annually.\n        These actions are scheduled to be completed by September 30, 2012.\n\n        FEMA considers this recommendation resolved and open until implementation of the above action.\n\n        Again, we thank you for the opportunity to review your draft report. If you have any questions,\n        please have your staff contact Brad Shetks, FEMA\'s OIG and GAO Liaison, at 202-646-1308.\n\n\n        Attachment I - Listing ofIncident Reports for Lost or Stolen Laptops\n\n        Attachment 2- FEMA Manual 119-7-1, Personal Property\n\n        Attachment 3- DHS 4300A, Sensitive Systems Handbook, Attachment G, Rules of Behavior\n\n        Attachment 4 - FEMA Standard Operating Procedures, Electronic and Hard Copy Media\n        Sanitization and Release\n\n\n\n\n                                                           3\n\n\n\n\n            Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n\n                                                     Page 24\n\n\x0cAppendix C\nMajor Contributors to this Report\n\n                     Chiu-Tong Tsang, Director\n                     Mike Horton, IT Officer\n                     Amanda Strickler, Team Lead\n                     Bridget Glazier, IT Auditor\n                     David Bunning, IT Specialist\n                     Gregory Wilson, Management/Program Assistant\n                     Matthew Worner, Referencer\n\n\n\n\n           Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n                                           Page 25\n\x0cAppendix D\nReport Distribution\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretariat\n                      Assistant Secretary for Office of Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      Administrator, FEMA\n                      Chief Information Officer, DHS\n                      Chief Information Security Officer, DHS\n                      Chief Information Officer, FEMA\n                      Chief Administrative Officer, FEMA\n                      Chief Information Security Officer, FEMA\n                      Associate Administrator, Response and Recovery, FEMA\n                      Director, Compliance and Oversight, DHS OCISO\n                      Director, GAO/OIG Liaison Office\n                      Audit Liaison, CIO, DHS\n                      Audit Liaison, CISO, DHS\n                      Audit Liaison, FEMA\n                      IT Audit Liaison, FEMA\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n           Progress Has Been Made in Securing Laptops and Wireless Networks at FEMA\n\n\n                                           Page 26\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General\n(OIG) at (202)254-4100, fax your request to (202)254-4305, or e-mail your request to\nour OIG Office of Public Affairs at DHS-OIG.OfficePublicAffairs@dhs.gov. For\nadditional information, visit our OIG website at www.oig.dhs.gov or follow us on Twitter\n@dhsoig.\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to Department of Homeland Security programs and\noperations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202)254-4292\n\n\xe2\x80\xa2 E-mail us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n        DHS Office of Inspector General/MAIL STOP 2600,\n        Attention: Office of Investigation - Hotline,\n        245 Murray Drive SW, Building 410\n        Washington, DC 20528\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'